用户能否逃脱asp.net core的应用程序文件夹?
[英]Is it possible for user to escape asp.net core's application folder?
问题描述
For example file css.css is accessible because it should be 
例如,文件css.css是可访问的,因为它应该是
access url: 访问网址:
localhost:1234/css.css
projects_folder
- application.dll
- wwwroot\css.css
but what about situation: 但是情况如何:
disk
secret_folder
- secret.txt
application_folder
- application.dll
- wwwroot\css.css
Can I safely assume that user is unable to this even with some tricks! 我可以安全地假设even with some tricks!用户也无法做到这一点even with some tricks! : :
localhost:1234/../secret_folder/secret.txt
in default ASP .NET Core's MVC template? 在默认ASP .NET Core的MVC模板中?
1 个解决方案
解决方案1
1 2018-10-23 09:55:05
It depends on how the application is configured. 这取决于应用程序的配置方式。
In the default ASP .NET Core's MVC template you should have the following in your Startup.Configure to allow access to static files in the wwwroot folder: 在默认的ASP .NET Core的MVC模板中,您应该在Startup.Configure中包含以下内容,以允许访问wwwroot文件夹中的静态文件:
public void Configure(IApplicationBuilder app)
{
app.UseStaticFiles(); // For the wwwroot folder
}
The parameterless UseStaticFiles method overload marks the files in web root (wwwroot) as servable. 无参数的UseStaticFiles方法重载将Web根(wwwroot)中的文件标记为可服务。
In order to access static files outside of the web root you would be required to add further configuration, as described in the following link: 为了访问Web根目录之外的静态文件,您将需要添加进一步的配置,如以下链接中所述:
https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-2.1&tabs=aspnetcore2x https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-2.1&tabs=aspnetcore2x
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.